The GDPR has generated a considerable buzz online. This legislation’s primary goal is to create a set of easy-to-follow rules for the entire EU, which uphold the highest standards of data privacy. Despite being an EU regulation, the GDPR will apply to any site that collects data from EU citizens. This means that if you’re running a WordPress website with registration enabled, and some of your users reside in the EU, the GDPR technically applies to you.

The purpose of the GDPR is to regulate how personal data is collected and manage by services. It does not forbid collecting any personal data at all. It only requires that the visitor be aware that the data is being collected, how it is handled and gives explicit consent to do so.

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

The GDPR can impose several types of penalties. You could get fined 2% of your worldwide annual revenue for failing to disclose a data breach, or up to 4% for failing to ask for user consent when storing data.

A good news is that there is a dedicated team of WordPress Core contributors working on GDPR-proofing the Core code. They have a website set up where admins and devs can keep up with the progress and to see what you need to do to get yourself (and your clients) in compliance: GDPR for WordPress.

Below we provide a series of specific information and some technical measures that you can use related to our Uncode WordPress theme.

Uncode Privacy Plugin

Uncode is a flexible WordPress theme that can use (depending on user choice) external services like YouTube, Vimeo, SoundCloud, Spotify, Google Fonts, Twitter, Facebook and Tracking codes. All these popular services use cookies and scripts that send personal data, such as the IP address, to the provider of the service in exchange for the free service offered (this is the same thing that happens when you use the YouTube website, etc.). According to the new GDPR legislation, a user must agree through explicit consent before these services are used and before each type of personal data is processed. For this reason, we developed the Uncode Privacy plugin. When this plugin is installed and properly configured, it’s possible to block usage of third-party services up to the explicit consent of the user.

Google Fonts

There is no doubt that Google Fonts is a wonderful service that allows you to easily use more than 800 fonts free of charge but when you use this service Google stores the IP Address in exchange for the service offered.

In Uncode when you install demo contents a few Google Fonts are imported (these are the same used by the demo for instructive scope). It is the user's duty choose whether to use this convenient method or prefer to install the font locally on your server. In case you decide to use the default method it is suggested to create a Privacy and Cookie page as described later on this page. Alternatively, if you want to use the Google Fonts installed on your server (that these days becomes the suggested method) please continue with the Self-hosted Google Fonts tutorial:

Google Analytics

Another service that is used by virtually all sites is Google Analytics. The big question on everyone’s mind is if they really need to get explicit consent for tracking. After all, this could be a substantial amount of work and could absolutely impact the participation of users in your Google Analytics data. The answer to this question is multi-pronged in that most likely you will, that it depends, and that you should seek legal counsel.

In any case, a good improvement is to use the anonymized IP function, in this way the IPs of the users who visit the site in your account will not be saved. Please find all the infos in the dedicated documentation page:

YouTube and Vimeo

For sure another great services that we all use are YouTube and Vimeo (SoundCloud and Spotify). In Uncode you have the option of using both of these services or uploading a self-hosted video to your server. Naturally, these services also collect data from users who are viewing the video in exchange for the free service offered.

If you need to be strictly compliant with the GDPR, you must use self-hosted videos loaded from your server. Naturally, an increase in the use of Self-Hosted videos is expected.

If it is necessary for you to use the services YouTube, Vimeo, SoundCloud and Spotify, and you need to be strictly compliant with the GDPR, please read the documentation and implement the GDPR plugin:

Contact Forms

The GDPR say that you must get user consent to process any data, and this is also valid for forms. Uncode uses the super popular Contact Form 7 free plugin. If you need to be compliant with GDPR requirements you have to take some precautions as described in the dedicated Contact Forms documentation page, include a checkbox with the link to your Privacy Policy and save the consent.

Alternatively, you can use Gravity Forms which has a native option to save each message and consent received. Gravity Forms is supported by Uncode but is not a free plugin we can include for free in our product.

I Recommend This

In Uncode versions prior to version 1.8.2 a plugin named 'I Recommend This' was used to create the like on posts features (heart icon). This plugin, to avoid that an user could click repeatedly on the same like, saved the user's IP address. Given that the IP address under the GDPR terms is an important Personal Data, we decided to eliminate this functionality from Uncode to ensure greater compliance (since this simple functionality is the only feature that could make Uncode not compliant).

If you are interested in activating this feature or re-activate on your installation, please follow:

Privacy and Cookies Policy

As for the other parts of the GDPR’s information retention clauses, you can include the details on the data’s why, how, and who in either your Terms of Service or Privacy Policy. It is now more important than ever to have a Privacy and Cookies Policy in place.

For the creation of a Privacy and Cookies Policy there are many online free services that help you almost automatically in this. An excellent service we can suggest is Iubenda. Iubenda is the most elegant way to privacy policy for your website, mobile app or Facebook app. Continuously updated, available in multiple languages:

Uncode Cookies

It is important to specify that the only native cookies used by Uncode Theme are conformed to GDPR. To run the Adaptive Images system Uncode makes use of three technicians cookies that only contain runtime informations about the viewport and screen resolution, these datas are created on any page refresh to calculate the correct Adaptive Images. No personal informations are stored within these cookies.

WordPress 4.9.6

An article about about GDPR Compliance Tools in WordPress was posted on WordPress.org sheding light on the new privacy features that WordPress has added to its latest release 4.9.6, which shipped on May 17, 2018. The main features are new areas for handling data export and erasure requests, a new privacy policy page and also a consent checkbox for the comments form.

WooCommerce 3.4

Enforcement of the EU General Data Protection Regulation (GDPR) begins shortly after the release of WooCommerce 3.4. The WooCommerce team added tools and features to help store owners become GDPR-compliant and deal with GDPR requests from customers.

Some of these features include: ability to add privacy policy text to checkout and account pages, integration with the exporter coming in WordPress core (soon), tools to clean up (trash) and anonymize old orders which don’t need processing, tools to remove some optional fields from the checkout.

Important

Just using Uncode does not guarantee that an organization is successfully meeting its responsibilities and obligations to the GDPR. This page is a brief introduction of the GDPR, and presents some of the specific features of Uncode that can help you comply with the regulation. Organizations should assess their unique responsibilities, and ensure that any additional measures are taken that are necessary to meet any obligations required by law, as based on a data protection impact assessment.